cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.

Renjith_M_P
Renjith_M_P inside Policy Management 9 hours ago
views 174 3

Traffic is accepted by implied rule

Hello everyone,we are getting accepted rule by an implied rule. we have a Stealth and clean up rule in the policy. how can block such access. verified SK -sk105740, unable to locate accessibility in R80. we don't have mobile access blade installed.  how do i block the traffic.SC attached
phlrnnr
phlrnnr inside Policy Management Friday
views 171 3

Policy verification failed for rule with network objects and access roles

I am new to identity awareness.  I have implemented identity collector with AD and LDAP connectivity from the GWs.  I have an existing network rule that has normal source / destination hosts and network objects in them.  I added an access role to the 'destination' column, and the policy verification fails stating " 'Destination' column of the rule contains both Access Roles and network objects". 1. Why can't network objects and access roles co-exist in the same column?  2. What is the best practice for deploying these rules?  Do I have to create an identical rule with the source / services, and put just the access role in for the destination?R80.20 / JHFA 87thanks,Phil
Tomer_Sole
inside Policy Management Friday
views 36369 20 29
Mod

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer. The layers concept opens more options for policy management:Setting different view and edit permissions per layer for different administrator roles.Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies  ), or the same inline layer for different scopes.Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.R80.10 Gateways and above will have the ability to utilize layers in new ways:Unifying all blades into a single policy (How to use the unified policy? )Segregating a policy into more ordered layers, not necessarily by bladesAllowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )Message was edited by: Tomer Sole
Jose_Ramon_Rodr
Jose_Ramon_Rodr inside Policy Management Thursday
views 4512 7 3

Searching zero hits rules in R80.10

Hi, Prior to R80.10 you could find every rule with zero hits right from the search bar. For instance, in R77.30 you could see only the rules with no hits this way:Now in R80.10 I can't find the way to do that search. In "Searching a Rule Base" page in SmartConsole R80.10 Help there are no clues about it.Is there a way to do this search?Greetings.
Mart_Pirita
Mart_Pirita inside Policy Management Tuesday
views 8368 58 19

When Will SmartConsole Support In-Place Updates?

Hi,I have used CheckPoint since 2005 and I'm now pretty sure, that CheckPoint hates SmartConsole users, as in year 2019 it's impossible to upgrade CheckPoint SmartConsole, without uninstalling old CheckPoint SmartConsole. And in year 2019 this uninstalling does not give any option to save settings and fingerprints, like for example Juniper -s Pulse does.Uninstalling CheckPoint console removes all settings and fingerprints but of course it does not remove installation folder C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 and later on new installer then gives error - "The installation directory provided is not empty and might contain previous installation files. To proceed with the installation, please clean this directory or select an empty folder".Really? In year 2019 I must do it manually? What do you CP guys smoke? Investigated this a bit and it finally turned out, that folder C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 contained one empty folder "PROGRAM". After manually removing C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 folder, installer was happy.But I'm not happy, as the console thinks I'm using it first time, so I must add all settings, again. Accept all servers fingerprints, again. Close the boring popup notifications, again. Etc. And as CheckPoint keeps constantly upgrade SmartConsole, I must deal with this installer issue quite often.  Conclusion - in year 2019 we are paying huge money to CheckPoint and in return we're getting lousy product and for comparision freeware tools can create better windows installer packages with better logic, but CheckPoint can't or won't.
Lijo_mathai
Lijo_mathai inside Policy Management a week ago
views 608 13

Unable to clone policy package in R80.20

Hi, after upgrading to R80.20 and applying take 47, i am unable to clone the existing policy package. Is there anything i am missing. I checked there is no validation error for the name i used to clone, but still i am unable to clone the policy. Attached is the error i faced. 
Maik
Maik inside Policy Management a week ago
views 267 4 1

Export implied rules from policy

Hello guys,Short question... I got asked by a customer whether it is possible to export the implied rules from a given policy. I know that this question maybe sounds weird, as these rules can't be modified at all (just the logging option and where the rules should be matched ~ First rules | Before last rules | Last rules). But this is required for some kind of management report.The file $FWDIR/lib/implied_rules.def seems to include the implied rules in an absolutely not readable format (which makes sense as this file should not be opened or modified manually). But are there other ways to achieve the described goal in any way? The Mgmt API is not able to read these rules as well (can't find any parameter for implied rules). I also tried to achieve something via the generic object API but my guess is that the implied rules don't even have an UID to work with... so yeah. Kinda complicated (and maybe weird question). Hope someone can help me.Regards,Maik
HeikoAnkenbrand
HeikoAnkenbrand inside Policy Management 2 weeks ago
views 972 7 3

R80.20 - SNI vs. enabled HTTPS Interception

R80.20+  with enabled HTTPS interception: If the https interception is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)  More read here: R80.x Security Gateway Architecture (Content Inspection)    R80.20+ without enabled HTTPS interception (SNI is used): If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering. More read here: URL Filtering using SNI for HTTPS websites.pdf 
Oliver_Locher
Oliver_Locher inside Policy Management 2 weeks ago
views 1176 8 2

How I am able to remove a threat prevention layer from the database?

I know how I can delete access control layers (via Manage Layers) but I didn't find any capability to remove a threat prevention layer. I always get a name uniqueness error when I would like to publish my changes because I have two Threat Prevention layers with the same name. So how I am able to remove those?Error Screen:Thx for help
J_Saun
J_Saun inside Policy Management 2 weeks ago
views 270 2

Add to and view policy from command line

We have a situation where our firewall will be in place and live before our firewall manager. To expedite the build of the environment we need to add rules to the firewall/policy. I know it is possible to add rules using a script via the CLI but for visibility purposes are we able to view the policy installed on the firewall from the command line? Or is it only possible to see the installed policy via the Smartconsole GUI?
Tomer_Sole
inside Policy Management 2 weeks ago
views 3897 6 9
Mod

IPS Protections in Detect (Staging)

With R80.10, the new default profile "Optimized" sets all newly downloaded IPS protections to be in state "detect (staging)" or "inactive".1. We start with the general page. It has settings in which a protection should be in detect, prevent, or inactive.  2. Then, in the "updates" page, we see that newly downloaded protections are automatically set to "Detect". This means that:If a newly downloaded protection was supposed to be in "prevent", it will be set as "detect (staging)".If a newly downloaded protection was supposed to be in "detect", it will be set as "detect (staging)".If a newly downloaded protection was supposed to be in "inactive", it will remain inactive. 3. Sometimes an IPS update issues an update to an existing protection. In this case, the updated protection is back to "newly downloaded protection" state, which leaves it as either in "detect (staging)" or "inactive". It is important to remember these things, because it requires you to manage your staging protections - otherwise they will not be in Prevent mode. You can do that either from:1. IPS Protections page with the filter for "Staging" status 2. Logs that appear in the query page for "IPS --> Staging"   You can also automate some of this work:1. Apply additional configuration which excludes some protections from the "Detect (Staging)" status, leaving them with Prevent or Detect or Inactive.  2. Automatically change protections to Inactive based on tags.  3. Using the show threat-protections and set threat-protection API commands, you can create an automatic reaction which automatically changes the action from "Detect (Staging)" to "Prevent" or "Inactive" based on custom decision factors. set threat-protection name "Aggressive Aging" overrides.remove.1 "New profile 1" overrides.remove.2 "New Profile 2"
Maarten_Lutterm
Maarten_Lutterm inside Policy Management 2 weeks ago
views 286 2 1

Group Convention in R80.X

HI,We have a customer that is running R77.30 and is using Group convention. So group membership is done based on color and 'starts with', 'contains', 'end with'.We want to migrate to R80.10 but if we create a group in R80.X we don't see the possibility anymore to use group convention. Does someone know how it's done in R80.X or is this done another way in R80.X?See attached screenshot how its configured in R77.30Please let me know!Best Regards,Maarten Lutterman
Dave_Taylor1
Dave_Taylor1 inside Policy Management 2 weeks ago
views 563 9

Service Object - Match for Any

I'm working on Firewall standards for our security team and one of the items includes creating new services.I know there are issues creating new objects and leaving the default "Match for any" selected, but I'm not able to find specific details for this in any of Check Point documentation.What is Check Point's recommendation regarding this?
nagaraja_cs
nagaraja_cs inside Policy Management 3 weeks ago
views 260 5

Unable to install QOS policy

Hi Team,We have upgraded the appliance and changed the management interface.R80.20 cluster with Jumbo hotfix TAKE_103.Everything works fine except QOS.When we install QOS policy ,we are getting error  "A network interface name does not match the name assigned to the interface by the operating system"There is no change in the interface name,we have verified it.We have followed sk147593 but still it is same.Disbled QOS blade and re-enabled the same but no luck.We have a hospital  environment so it is required to assign minimum  bandwidth for one the critical machine.Immediate help is appreciated. 
Marcus_with_C
Marcus_with_C inside Policy Management 3 weeks ago
views 451 8 1

Change Match for Any Default value

Hi community,I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created. Many ThanksMarcus